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(54) Enhanced encryption control system for a mail processing system having data center 
verification 



(57) A key control system Gorrprtses the generation 
of a first set of predetermined keys Kp^c^ which are then 
used as master keys for a pluralrty of respective postage 
meters (12). The keys are then related to a respective 
meter (12) in accordance with a map or algorithm. The 
predetermined master key Kpr^j is encrypted with the 
date to yield a date dependent key Kdd related to the 
respective meter (12). The date dependent key is 
encrypted with a unique kientifier or the respective 
meter to yieW a witque key Kfi^^ that is t>y the respec- 
tive meter to generate digital tokens. The Data Center 
(16) enaypts the date with each predetermined key 
Kp«d to yieW a table of dependent keys K^d's. The table 
of K(tj*s are distributed to verification sites. The verifica- 
tion site reads a meter's klentif ication from a mailpiece 
being verified to obtain the dependent key Kdd of the 
meter (12). The verifteabon side (34) encrypts the 
dependent key with the unique kjentifier to obtain 
the unique meter key which is used to verify tokens gen- 
erated by the meter (12). In the preferred ennbodiment 
the master key Kp^^. the date dependent kofK^.anA 
the unique key Kfinai. >n the meter are stored in the 
meter. In the alternate errtxxjiment the master key 
Kpr«d is encrypted with a i^ue meter kjertttfier to 
obtain and the unique key Kfmai which is stored in the 
meter (12). The meter then generates its date depend- 
ent key Kdd> ^>ch is used to generate digital tokens. 
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Description 

The invention relates to mail processing systems 
and methods and more particularly to security of post- 
age metering systems. 

Recent advances in digital printing technology have 
made it possible to implement digital, i.e.. bit map 
addressable, printing lor the purpose of evidencing pay- 
ment of postage by a postage-meter-iike device. Where 
necessary in order to distinguish such postage^eter- 
like devices from the typical postage meter, such 
devices will be called herein Postage Evidencing 
Devices or PED's. In such devices, the primer may be a 
typical stand-atone printer. The computer driven prirtter 
of such a PED can print the postal indicia in a desired 
location on the face of a mail piece. Further, as used 
herein the postal indicia will be defined as the Postal 
Revenue Block or PR6. The PRB typically contains data 
such as the postage value a unique PED identification 
number, the date and in some applications the name of 
the place where the mail is originating. It must be noted, 
however that the term postage meter as used herein wiU 
be understood to cover the various types of postage 
accounting systens including such PED's and ts not to 
be limited by the type of printer used. 

Rom the Post Office's point of view, ft wiH be appre- 
ciated that a serious problem associated with PED's is 
that the digital printing makes it fairiy easy to counterleit 
the PRB since any suitable computer and printer may 
be used to generate multiple images. In tact many of 
these new PED systems may be u^ng printers that are 
abe to print legtttmate indk:ia which are indistinguisha- 
ble from those printed by others that are printed without 
any attenrpt to purchase postage. 

In order to validate a mailpiece, that ts to assure 
that accoimting fa the postage anwunt printed on a 
matlpiece has been property done, rt is known that one 
may include as a part of the franking an encrypted 
nunnber such that, for instance the value of the franking 
may be determined from the encryption to learn 
whether the value as primed on the mailpiece Is correct 
See for example. US. Patent r4os. 4.757.537 and 
4.775.246 to Edebnann et al. as well as U.S. Patent No. 
4.649,266 to Eckert It is also known to authenticate a 
mailpiece by including the address as a further part of 
the encryption as described in US. Patent ^k>. 
4.725.718 to Sansone et al and US. Patent No 
4.743.747 to Fougere et al. 

U.S. Patent No. 5.170.044 to Pastor describes a 
system wherein include a binary anay and the actual 
arrays of pixels are scanned in order to identify the pro- 
vider of the mailpiece and to recover other encrypted 
plaintext information. U.S. Patent No 5.142.577 to Pas- 
tor describes various alternatives to the DES encoding 
for encrypting a message and for conparing the 
decrypted postal information to the plaintext information 
on the mailpiece. 

U.K. 2.251.210A to Gilham describes a meter that 



contains an electronic calendar to inhibit operation of 
the franking machine on a periodic basis to ensure that 
the user conveys accounting information to the postal 
authaities. U.S. Patent No 5.008.827 to Sansone et at, 

5 desaibes a system for updating rates and regulation 
parameters at each meter via a convnunication networii 
between the meter and a data center. While the meter is 
on-line status registers in the meter are checked and an 
alarm condition raised rf an anomaly is detected. 

TO US. Patent No. 5.390.251 to Pastor et al. describes 
a mail processing system lor controlling the validity of 
printing of indicia on mailpieces from a potentially large 
number of users of postage meters includes apparatus 
disposed in each postage meter for generating a code 

15 end tor printing the code on each mailpiece. The code is 
an enaypted representation of the postage meter appa- 
ratus printing the indicia and other information uniquely 
determinative of the legitimacy of postage on ti^e maa- 
pieces. The keys for the code generating apparatus are 

20 changed at predetermined time intervate in each of the 
meters. A security center includes apparatus for main- 
taining a security code database and for keeping track 
of the keys for generating security codes in coaespond- 
ence with the changes in each generating apparatus 

2S and the information printed on the mailpiece by the 
pcetage meter apparatus for comparison with the code 
printed on the nWlpiece. There may be two codes 
printed, one used by the Postal Service for its security 
checte and one by the manufacturer. The encryption 

30 key may be changed at predetermined intervals or on a 
daily basis or for printing each mailpiece. 

It win be appreciated that in order to verify the infor- 
mation in the PRB using the encrypted message, the 
verifier must first be able to obtain the key used by the 

35 particular meter. In trying to deal with mailing systenrB 
which may incorporate such encryption systems, it must 
be recognized that the meter population is large and 
subject to constant fluctuation as meters are added and 
removed from senrice. If the same key were to be used 

40 for alt meters, the key distrtxjtion is simple but the sys- 
tem is not secure. Once the code is broken by anyone, 
the key may be made available to others using the sys- 
tem and the entire operation is c omprom is ed. However, 
if separate keys are used respectively for each meter 

45 then key management potentially becomes eoctremely 
difficult considering the fluctuations in such a large pop- 
ulation. 

European Patent Publication No. 0647924. filed 
October 7, 1994. and assigned to the assignee of ttie 

50 instant applk»tion. describes a key management sys- 
tem for mail processing ttiat assigns one of a set of pre- 
determined keys by a determined relationship to a 
particular meter, effectively altowing multiple meters to 
share a single key. The key managenwnt system 

55 includes the generation of a first set of keys which are 
then used for a plurality of respective postage meters A 
first key of the first set of key is tiien related to a specific 
meter in accordance with a map or algorithm. The first 
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key may be changed by entering a second key via an 
encryption using the first key. 

It has been found that although the system 
desaibed in European Patent Publicatton Na 0647924 
previously eoted and hereafter referred to a the "1000 
key system" provides a manageable key management 
system, the system has multiple meters sharing the 
same key. 

It is therefore an object of the invention to provide a 
key management system which provides the improved 
security 1000 key system and yet whk:h will allow ease 
of key management in a very large system. 

It is another object to provide a method for easily 
changing the keys for each meter in a manner that pro- 
vides improved security and system wkje tracking of the 
key changes. 

In accordance with the present invention, a key 
control system comprises the generatk^n of a first set of 
predetermined keys Kp,90 which are then used as mas- 
ter keys for a plurality of respective postage meters. The 
keys are then, related to a respective meter in accord- 
ance with a map or atgorithm. The predetermined mas- 
ter key Kpr«] is encrypted with the date to yield a date 
dependent key K^d related to the respective meter. The 
date dependent key is encrypted with a unique iderrtif ier 
of the respective meter to yield a unique key that is 
used by the respective meter to generate digital tokens. 
The Data Center enaypts the date with each predeter- 
mined key Kpr«d to yiekj a table of dependent keys 
Kdd's- The table of t^d's are distributed to verificatkxi 
sites. The verificatk)n site reads a meter's identificatk)n 
from a mailpiece being verified to kxM tp the dependent 
key Kdd of the rneter from the distnbuted table. The ver- 
ffnation site encrypts the dependent key Kdd with the 
unique identifier to obtain the unk^ue meter key which is 
used to verify tokens gerterated by the meter. 

In a preferred embodiment the nr>ethod in accord- 
ance with the inventk)n further comprises the steps of 
storing the master key Kf^^d, the date dependent key 
Kdd. ^ the unique key Kfj^ai . in the meter. 

In an atterriaie embodiment the master key Kpr^j is 
encrypted wtth a unique meter identifier to obtain the 
unique key which is stored in the nr>eter. The meter 
then generates its date dependent key which is 
used to generate digital tokens. 

The above and other objects and advantages of the 
present invention wit) be apparent upon oonskieration of 
the following detailed description taken in conjunctkxi 
with accompanying drawings, in which like reference 
characters refer to like parts throughout and in which: 

Rg. 1 . is a schematk; view of a system which may 
be used in accordance with an embodiment of the 
invention; 

Rgs. 2a and 2b illustrates the informatk)n which 
may be printed in a first embodiment of a PRB in 
accordance with an embodimem of the invention; 
Figs. 3a and 3b illustrate an alternative to the infor- 



matk>n shown in Ftg. 2a and 2b; 

Rg. 4 is a ftow chart of the operation for providing 

keys in accordance with an embodiment of the 

invention: 

5 Rg. 5 is a flow chart of meter operatk>n in accord- 
ance with the prefenred enrttxxitment of the present 
invention; 

Rg. 6 is a flow chart of meter operation in accord- 
ance with an alternate embodiment of the present 
10 invention; 

Rg. 7 is a fk3w chart of data center operation in 
accordance with the preferred embodiment of the 
present invention; 

Rg. 8 is a flow chart of the verification process; 
15 Rg. 9 is a bk>ck cfiagram of the preferred embodi- 
ment of the present invention; and 
Rg. 10 is a tkxk diagram of an alternate embodi- 
ment of the present invention. 

20 In Rg. 1 , there ie shown generally at 10 an overall 
system in accordance with an embedment of the inven- 
tion. In the embodiment aiustrated, the system com- 
prises a meter a PED 12 interacting with a plurality of 
different centers. A fiist center is a welt-known meter- 

25 fund resetting center 14 of a type desaft>ed. for exam- 
ple, in US. Patent No. 4.097.923 whk:h is suitable for 
remotely adding funds to the meter to enable it to con- 
tinue the operation of dispensing value bearing indicia. 
In accordance with an embodiment of the invention 

30 there is also established a security or forensic center 16 
whk:h may of course be physk:ally tocated at the reset- 
ting center 14 but is shown here separately for ease of 
understanding. Attematively. such a security or forensic 
center couti be an entirely separate fadity maintained 

35 by the Postal Authorities, for instance or two separate 
facilities may be maintained in order to provkje levels of 
security, if desired. The dashed lines in Rg. 1 incficate 
telecommunication between the nr>6ter 12 and the reset- 
ting center 14 (and/or forensic center 16). 

40 Typically there may be an associated meter distri- 
bution center 1 8 which is utilized to simplify the logistics 
of placing meters with respective users. Similarly, a 
business processing center 20 is utiized for the pur- 
pose of processing orders for meters and for administra- 

45 tion Of the various tasks relating to the meter popUatkx) 
as a whole. 

The n)eter manufacturer indkated at 22 provides 
customized meters or PED's to the distribution center 
18 after establishing operabiBty with shop checks 

50 between the manufacturer and the resetting center 14 
and forensic center 16. The meter or PED is unlocked at 
the user's facility by a customer servk;e representative 
indicated here by the box 24. 

At the resetting center 14 a database 26 relating to 

55 meters and meter transactions is maintained. The reset- 
ting combinations are generated by a secured appara- 
tus labeled here as the Black Box 28. The details of 
such a resetting arrangement are found in U.S. Patent 



EP0840 258 A2 



6 



NO 4 097,923. here«tthspec»icalhrinco.poraie^^^ 
erencTherein. and will not be lurther descr4)«l here 
"Talse 30 and a seoired '^^^^ 
anoaratus, designated here as Orange Box 32. a^e 
»i the security or torensic center 16. The 
maintained at t^e secumr « _,-«<airi mictvd- 

a^Slt^ents are Kno^ and the '"^ent«^ l«^ 
to me specific entwdiment using DES encryptonj^e 
seTLi^torensK: center 16. wherever niam««ed « 
S*/ connected by telecommunicawn wrthany 
CSL inspecbon station, one of wh«h « «J«ated 

'Turner details are to be found «,Eu|ope«,^^ 
Publi^ NO. 0647924. pr«k«ly noted «Kl sp«:-H 

'^"^jS:'^«i.SrS^«asecure^ 

^.«,n«ybeinp.en^-compjJ|^ 

in dedicated chips which prwide P«vamri»Ue caw" 
LWrts. AtsTstored within the regist«oMhen«W 

"S;^^ resetting l«y 42. ^J^**^ 
«on dates 46 and preferably. '^J^J^J'^ 

DES^Si^nSn^ter 12top.««ean er»r^ 
^,^!L.nationinthePRB.orea*^o.me 

?RB on a mailpiece. M each 

;i^sr;5srcSKrerr^ 
Thtrri'^cooTs^^^^ 

token) is a truncated aphertaxt producao oyuca 
'S*^ 0. the message based on pcaaaein^ 
Sn^ilabte to the meter. Veriticalion aMhe sawjr 
Sitrconsists 01 v-i1ying th-t ^ «^ 

both me ECODE -Id me V^'^r^^V^ 
reliable. A typic-1 l«iglh of f*^:^;^^^^^ 
exanple only and not by w^ 
me meter ID (typically 7 <P^^Sn , o^ 

its. suitably me last 2 of me ^ 
determined starting date such as January i). ™ 
pJS^S»unt(4digits).andmepieceo^.to^^^ 

A DES b»ock is corwertionally 64-brt6 long, or 

JL^^TS^^^ ''^ I^Sed'tS 
^^winr. nf fed bits of data, it will be appreoateo mai 
SSTnit^n^ytes^ectedandmatlessthanme 



information provided here may be encrypted m ome 
2^ninS of the inventionHis however ini^^^ 

Semat me informatioi to be ^i^^^ 
Htomat used in verification. To mis end me plaintext 
, rS^rni^Sciudedatav^-d^^ 

lar information which is encrypted. This n^tete tr^ 

farm of an additional character, ^^^^ 
a marKing on me mailpiece as may be ^"^^^^ 
n desired, a second ECODE could be pn"ted i»ng 
,0 aDEs!Syfromasetofl«vsPS-DEShnowntome 
^ SLce. Atternatively me Postal Ser«« co^^^ 
So manage its own set Of Keys as d^bedm«j^ 
nection wim me key management system descnbed 

,5 '^'^afirstentxxJimern.asshowninFigs.Zaand^ 

meSSme^isenayptedusingoneofmeK^J^n 

PS-OES. The Postal Service uses me same tawfrom 
me«tPS-OEStov«ifythem«saBeJ^h«herl«elof 

sacimtv is oroinded by the second ECODE. 
« "Ta sS-enSLmenttwoECODEsare g^^^ 
ated and printed on me mailpiece. one us»ig a PS-DE5 

S^^SSTby the Post 

vSrt^ES toy provided, tor example, by the manutac^ 

H w-r^sMoe using its own code generating and 
" iTnli^sSS While me vendor can sepa- 

aTshow me tom«l of this second entodin^ 

ton NO. 0647924. previously noted, f''^ '^^}^ 
JJoTpredetermited keys ^W* * '"^•JtH 
S) wen below, the system S in «co«ter«j^ 
35 5« invention corn^Hses a set of P(*««W.^^^^ 
Ls indexed by the pointer (keypl and a map F or gw 

!SrSSSn frc^nme set o. meter IDs (MJ to me 
sat of pointers. Tlws: 

S-(F.lPl.l«W4)'8«'««y«*" 
40 F:{M)->(P) 
and 

F(M)-F(meterlD).p 
finds me pointer to me key tor a given mew M_ 

m*7etuming to Bg. 4. « an exarrje. the sjof 
« P0ime,.(P»*hi*mayb.lh.jnto8e.s^^ 
ve aeated from meter parameters. »» 
S!c2;« F may be men "t^.^.nr^- 
DES encrvBtion of meter ID iwng a DES Key "v. 
SltiSy^SSS to mree digits, at step 410 and a 

SSo^othertunctionalrelationshipsm^bed^ 
T^iookHp table conprises a set of meter ID s a«l 
ttSr asS«J pointers. For me greatest "Oirrty. rt w." 
hTl^Saed^at me relationship between a porter p 
^^^™dJ« key should not be easily discov 

alS^me meta ID. It will also be underetood mat me 
hinctton F should be mairtained m seaet. 
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Referring nan to Figs. 5 and 9. the preferred 
errtDOdiment of ttie present invention is shown. At step 
420. using the meter. ID of a specific meter in the look- 
up table, the con-esponding Kp^^ is stored in the meter. 
At step 430, a date dependent key K^cj is generated 
from the predetermined key Kp,«, by encrypting the 
date with K^,^ to yield the K^^ for the meter. At step 
435, a unique meter identifier, such as a meter serial 
nunt>er. is encrypted wrth the date dependent key Kdd 
to produce a unique key Kfinai tor the meter. The met©* 
generates digital tokens using its unique key \<^-^. 

Referring now to FIGs. 6 and 10. an alternate 
embodiment of the meter operation is shown. At step 
470, a unique meter identifier, such as a meter serial 
number, is encrypted with the predetermined master 
key Kpr«j to yieW a unique key for the meter. The 
unique meter key Kfjnai is stored in the meter at step 
475. Kfinai « used to generate a date dependent key K^d 
in the meter by encrypting the date with K^nai to produce 
date dependent key K^^. 

Referring now to Fig. 7, the data center operatton 
for the prefen-ed embodinrwTt is shown. At step 450. the 
date is encrypted with each predetermined master key 
Kpr^j to yield a table of date dependent keys Kdd's. At 
step 455. the data center distnbutes the table of Kcm's to 
each of the verification sites kx use in verifyino digital 
tokens generated by the meters. 

Referring now to Rg. 8. a verification process is 
shown using the key management system in accord- 
ance with an embodiment of the present invention. In 
order to verify a maitpiece, the meter ID nunrt>er printed 
on the maiipiece is read at step 500. At step 510. using 
the meter ID number a date dependent key K<id is found 
in the table of Kdd's distributed by the data center. The 
key is found using the kwkup table or algorithm F from 
the given meter number. At step 515. the identical 
unique meter data that was used by the meter to obtain 
the meter's unique key K^^ is enoypted with the date 
dependent key K^d* At step 520. the kjenttoal piaintext 
information used to create the ECODE is now enaypled 
at the security center using Kfinai, and the result is oonv 
pared with the code printed on the nrailpiece. at step 
530. H there is a match at decision at step 540. the mail- 
piece is valid. If not the NO branch will trigger an alarm. 

Returning for the moment to Fig. 2a and Fig. 3a, the 
Postal Service is able in these embodiments to obtain 
the PS-DES pointer directly from the indicia without 
using the process shown in Fig. 8. In the cases illus- 
trated in Figs. 2b and 3b. the DES pointer is obtained by 
using a predetermined algaithm applied to the informa- 
tion printed in the PED ID as described in connection 
with Fig. 8. 

While the present invention has been disctosed and 
desaibed with reference to the embodiments disck>sed 
herein, it will be apparent that variations and modifica- 
tions rmy be made therein, tt is thus, intended in the fol- 
lowing claims to cover each variation and nxxfification 
that falls within the true spirit and scope of the present 



invention. 
Claims 

5 1. A method for key management for controlling the 
keys used in encoding infornnation to be printed on 
a n^ilpiece for validating the maiipiece. the method 
comprising the steps of: 

70 generating a plurality of keys K to obtain a fixed 

key set K^^^,ny 

assigning one of said plurality of keys Kpre<j to a 
partk:ular postage meter M (12) by means of a 
determined relationship associated with the 

15 postage meter (12). said relationship being 

derived as a predetermined function F(M) cor- 
responding to the partk^ular postage meter; 
encrypting said assigned key Kp^d ^ & cia^^ 
to obtain an assigned date dependent key K^: 

20 and 

combining the assigned date dependent key 
Kdd infcxmation unk^e to the particular 
postage n>eter M^nj to produce afinal key Kfj^^ 
for the partkaitar postage meter M. such that 

2S Kft^f(Kdd. Hmi). 

2. The method of daim 1 wherein sakj deterntined 
relatkmship associated with the postage meter is a 
pointer p associated with the particular postage 

30 meter M. sakl pointer p being derived as a function 
F(M) conesponding lo predetermined parameters 
of the particular postage meter M. 

3. The method of daim 1 or 2 further comprising the 
35 Steps of: 

encrypting a date with each Kpr«d sakj fixed 
key set Kp^^vn) to yield a table of date 
dependent keys K^dii-n); and 
40 distributng said table of date dependent keys 

Kdd(i-n) to verifteatton sites. 

4. A method for key management for controlling the 
keys used in encoding intormatkxi to be printed on 

45 a nrwulpiece tor validating the maiipiece. the method 
comprising the steps of: 

generating a plurality of keys K to obtain a fixed 
key set Kpr^i.n): 

50 assigning one of said plurality of keys Kp^^ to a 

partk:ular postage meter M by means of a 
determined relationship assodated with the 
postage meter, said relatranship being derived 
as a predetermined function F(M) con^espond- 

55 ing to the particular postage meter: 

confining the assigned key Kp^^ with informa- 
tkm unique to the particular postage meter f^^n. 
to produce a final key Kfinai particular 
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postage 
and 
storing 

postage meter M 



meter M. such that Ktin»i»*(Kdd. '^uni); 



said final key K,„, in the particular 
e meter M. ^ 
5. -me method of daim 4 further conprising the steps 
of. 

encryptii^ sak3 final Hey K,|„^ a 
S^!?aJatedependentKeyK^torthepart«- « 

ular meter li^; and i„-,«Mr. 
storing said date dependenthey Kdd " the par- 

ticuiar meter M. 

6. Themethodofc.aim4or5 wh««n«a*Bt«^ -5 
mined relationship associated wJtt^P^^^ 
mater is a pointer p assooaied with the partKuiar 
X:Xm, Lipointerpbeing^r^ 

SS^ F(M) correspoi-ngte^^-e^ 
parameters of the particular postage meter M. 



» 9. 



, A ..^mnri for kav management for controlling the 
^::^LlSece.orva«datingthemailp.ece.thememl ^ 
corrprising the steps of. 

oeneratlngapluraityofKeysKtooWainafixed 

SiS.IfeedUidplurali.yofl«yslW»« ^ 
^2%ge -T^ter M by .T«ar« of a 30 
SSed^^tiooshp «soci«ied^^ 
^e meter, said reWionshp being denvj 
^ Jedeterrrined fuKbon F(M) correspond- 

?2Sn an assigned date dependent Key 

SJ*ining the date dependent key « 
^ttw unique to the partKUa. P^ 
^Ser to produce a final Key^^ «^ 
particulTpostage meter M. su* that 

^■f(Kdi. Muni)- <s 
- A tar key management for controlling the 

X^-- a mai^iece. the method compr*. 

ing the Steps of : ^ 
generating a pluraKy of keys K to obtain a fixed 

key set Kp,«i(vn)'' . 

Key set Kp«d(i-n) to " ™* js 
dependent Keys Kdd(i.f,): 
dteffibuting said table of date dependent Keys 
K , to verification sites; 

Saintext infomation primed on a ma.1- 



10 

niece said plaintext information including a 
10 aentMng a particular postage meter 

findino a date dependent Key K^d correspond- 
^JShepartcularpostag^ 
rta determined relationship assoc.»*«*r; 
L postage meter, said relat.onsh<p be«^ 
SivShi a predetem^ined function of saKl 

^,;o said meter ID with said date 
dependent Key to obtain a ^'^^^^ 
^aifsm at least some part 01 the plaimext 
SSSSt using saidfinal Key K.„.too«a.na 

SSjaring said code with encoded information 
printed on the mailpiece: and 
^«lid«ting the mailpiece when saKl code 
matchee said encoded information. 

A svatem for Key management for controlling the 
anailpiece tor validating the mailpiece. compns«g. 

m«« fcr gentling a pfuraHty of Keys K to 

obtain a fixed Kay set Kp,^i.n). 

meana for assigning one d^P^«J^ J 

to« K«-i to a partoular postage meter M p 

ESSof adettrnw>ed relationship awoa- 
2eJXtipoa.a8em«er(l2).«^Ja^ 
^being derived as a predetemined 

mSl^ «x enoypting said ^^J^, 
with a date to obtain an assigned date depend 

the assigned ^ 

diSlent Key K« ^^^^^^ 
JToarticular postage meter Mu„ to produce a 

M, such that KftMi-'CWuni'- 

K tar key management for controlling the 
trSSS.2^2Jwormation to be printed on 

^iS2^JSi?ngfhemaiN^.comp^ 

means for generating a plurality o» Keys K to 

obtain a fixed Key art Kprwiivn). 
^ for assigning one of serf pU«l*y «^ 
,D a particular postage mrter M by 
JSrSSTad^ermined relationship a«oaa^ed 

postage meter, s^ ^^^^Jj,^^. 
derived as a P'«latent,.ned function F^cw 
responding to the particular postage mrter 
means foTconWning the assigned Key IV- 
X*,?mSrun«ue to the particulm poj- 
SmeterM„^toproA«eaf^K^IJj«|tor 

tt,e particular postage meter M, such that K,. 
„i-f(Kdd.Mu™);and 
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means tor storing said final key K,„^ in the par- 
ticular postage meter M. 
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(16) encrypts the date with each predetermined key 
Kpr^ to yield a table erf dependent keys Kdd's. The table 
of Kdd's are distributed to verification sites. The verifica- 
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being verified to obtain the dependent key K^d the 
meter (12). The verification side (34) encrypts the 
deperxjent key with the unique identifier to obtain 
the unique meter key which is used to verify tokens gen- 
erated by the meter (12). In the preferred embodiment, 
the master key Kp^d. the date dependent key Kjd. and 
the unique key Kf^^), in the meter are stored in the 
meter, tn the alternate embodiment the master key 
Kproa is encrypted with a unique meter identifier to 
obtain and the unique key Kfinai which is stored in the 
meter (12). The meter then generates its date depend- 
ent key which is used to generate digital tokens. 
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